Upload
vanthien
View
218
Download
1
Embed Size (px)
Citation preview
Federal CIO: Cloud Selection
Toolkit
Georgetown University:
Chris Radich
Dana Christiansen
Doyle Zhang
India Donald
Agenda
• Project Introduction
• Agency Cloud Challenges
• Toolkit Solution Overview
▫ Step 1: Data Gathering
▫ Step 2: Cloud Readiness Assessment
▫ Step 3: Vendor Selection
▫ Step 4: Preparing for Change and Risks
• Conclusion
Project Introduction
• Gartner defines cloud computing as "a style of computing where scalable and elastic IT-related capabilities are provided 'as a service' to customers using Internet technologies."
• For cloud computing to be successful, organizations require a thorough and rigorous adoption strategy:
▫ One that takes into account the risks and reaps the rewards
▫ Ad hoc methods result in increased risk, expenditures and liability
Cloud Computing Service Models
Infrastructure as a Service
Business Services
Information Services
Software as a Service
Platform As a Service
Cloud
Enablers
Data Center
Middleware
The provider optimizes everything
below the service boundary, and hides
complexity from the consumer.
The consumer accesses,
configures and/or
extends the service and
builds everything needed
above the service
boundary — or just uses
the service.
BPO
Packaged Apps
Information Feeds
Agency Cloud Challenges
• Funding for restructuring costs▫ No cost savings realized until 2nd year of cloud
projects
• Rebalance IT workforce and skill levels• FISMA compliance and C&A contract vehicles• Agencies must avoid compliance mode
▫ Three annual moves to Commercial or Gov’t clouds
▫ Use the 25 Point Plan as an opportunity to strategically plan for future IT success Federal CIO Cloud Selection Toolkit will
alleviate political pressures and reduce complexity of “cloud investment decisions”
Toolkit Solution OverviewDevelop a rigorous methodology to:
• Identify potential agency cloud candidates
• Determine cloud costs and ROI
• Determine impacts to the organization
• Identify and vet cloud providers
• Identify business impacts and risks
• Mitigate residual risks
Business Impact Determines Cloud
Investment Decisions
Challenges
Ben
efi
t
Low &
ManageableHigh or
Unmanageable
Hig
h &
Cle
ar
Lo
w o
r
Unce
rtain
Avoid
Embrace
Public
Experiment
Consider
Private
Step 1: Data Gathering
�‡Architecture �A�x�‡Work Load �A�x�A�x
Step 1: Data Gathering
• Technology ▫ OS, DB, Application stack vendor Include licensing cost based on model
▫ Load balancing between private and public cloud or disparate public clouds
▫ Integration of KPIs of app running on cloud with existing monitoring tools
▫ Solution type: transactional, reporting, analytic, etc.▫ Release cycle for app
• Organization▫ # of users▫ # of sites▫ # of vendors (contracted)▫ # of business units impacted▫ # of people impacted
Step 1: Data Gathering
• Security, Privacy & Compliance▫ Identity & Access Management of users in cloud▫ Cost to implement new controls (i.e. encryption)▫ Cost to maintain existing controls Include: log monitoring, access monitoring, forensic evidence
preservation, separation of duties, patching, etc.
• Demographics▫ # of components▫ # of environments▫ # of servers▫ # of releases per year▫ # of codes maintained▫ # of programming languages▫ # of COTS apps
Step 1: Data Gathering
• Operations▫ % annual budget spent on software maintenance &
training▫ Cost/revenue impact▫ Mission criticality▫ # of trouble tickets▫ # defects outstanding Include average severity of defects outstanding
• End user/Business user Requirements▫ Latency to connect to app▫ Frequency of information accessed▫ SLA requirements on availability & support
Step 2: Cloud Readiness AssessmentThe Assessment phase includes conducting a current state analysis, requirements definition, and
developing a vision. This phase will further refine and confirm the legacy system can benefit from
the joint service offering.
Current State Assessments
Requirements Definition
Define Vision
Understand legacy systemcurrent technical environment
Understand legacy system operational environment
Assess the fit of product offering
Assess organization data compliance and security needs.
Assess organization current IT infrastructure for continuity and application interdependencies.
Assess current organization risk tolerance and resource constraints.
Interview key stakeholders
Conduct requirements definition workshop
Validate requirements
Develop Requirements Document
Define compliance and security needs for new solution.
Define Goals
Define short term and long term vision
Define level of migration to the new solution.
Current state Document Requirements Document
Scope Statement
Vision Document
Key A
cti
vit
ies
Key
Delivera
ble
s
Current state
IT assessment
Current state
Financial
assessment
Current state
Operational
assessment
Requirements
Definition
Client Go
No-Go
Step 2: Cloud Readiness Assessment
Technical
Requirements
Application Complexity
Network Bandwidth
Infrastructure Requirements
Virtualization Candidate
Infrastructure Specialization
Business
Requirements
Application Criticality
User Impact
Service Level Requirements
Internal / External Facing
Security Concerns
Cost Benefit Analysis
Transition Costs
Operating Model Implications
Management Considerations
Future State
Analysis
Private
Public
Community
Hybrid
Cloud SolutionCurrent state IT
Assessment
Assessment Approach
- Low or moderate application criticality
- Minimal to some interdependencies on other apps / data
- Uses commodity hardware
- Bandwidth requirements
- Standalone environments or software stack
- Does not depend on specialized appliances
- Low / moderate SLA requirements
- No confidential data or data can be easily masked
Agencies must meet assessment criteria at each step prior to passing on to the next; in some cases technical and business requirements may
be evaluated concurrently. Agencies will be giving a scorecard for each criteria (red/yellow/green)
Even within each area, failure to meet fundamental evaluation criteria would mean that suitability is no longer viable and the application is not
suitable for cloud at this time
Agency applications exhibit the following attributes and will be assessed accordingly:
Current Legacy
System IT
Infrastructure
Current
Organization
Risk Tolerance
Current
Organization
Resource
Constraints
Step 2: Cloud Readiness AssessmentCloud Assessment Criteria
Criteria Explanation (Red/Yellow/Green)
Legacy System Criticality Defined by business for production environments,
Legacy System Complexity Architecture complexity, dependencies on other applications, databases, middleware
Virtualization Candidate Can the workload be virtualized? This depends on the platform OS and virtualization platform
Commodity Infrastructure Workload runs on commodity infrastructure
Technical Feasibility (Red/Yellow/Green)
Network Bandwidth LAN or WAN network bandwidth requirements when workload would run in the cloud
InfrastructureRequirements
The scale of requirements for compute, storage and network to support workload
Shared Environments Types that would be supported by a shared environment
Shared Software Software (e.g., databases, middleware) share with other software)
Specialized Infrastructure Dependency on special purpose proprietary appliances, devices, license , hardware, etc
Business Feasibility (Red/Yellow/Green)
Internal / External Facing Does the system provide a customer facing service or back office function (e.g., HR)?
User Impact Impact on the user community due to move of workload to cloud (e.g., lack of access to a subset of users)
Service Level Requirements Availability, response time, Recoverability , Disaster Recovery, etc
Customer / Confidential DataDoes the provider location or other characteristics of the cloud service meet the security requirements of how and where data needs be stored?
Business Case Analysis Cost / benefit analysis, including initial and migration costs, on-going costs and ROI timeframe
Detailed Technical Analysis What changes will be required for the application? What will the future application architecture look like?
Operational AnalysisWhat is the operational impact due to the workload moving to cloud? What is support model after workload is moved to cloud? What is provider vs. client responsibility and hand-offs?
Management ConsiderationsHow is the workload managed in the cloud? E.g., using internal and vendor provided tools, processes, and staff; Go – No/Go Based on Assessment Scorecard
Level 1
Current State
Assessment
Level 2
Determine
Suitability
for Cloud
Level 3
Business
Case and
Operational
Analysis
Step 2: Cloud Readiness Assessment
Cloud Assessment Decision Matrix
Red Yellow Green Go/No-Go
Decision
Level 1: Current State
Assessment
Level 2: Technical Feasibility
Level 3: Business Feasibility
Go / No Go Decision
• Acceptable quantity of Red rating for all categories is at most 1 red rating for Agency Go into the cloud solution,
otherwise No Go.
• Acceptable quantity of Yellow rating for all categories is at most 2 yellow ratings for Agency Go into the cloud
solution, otherwise No Go.
• Acceptable quantity of Green rating for all categories is at least 2 green ratings for Agency Go into the cloud
solution, otherwise No Go.
Step 3: Vendor Selection
1. Create a Detailed RFI/RFP
2. Review RFI/RFP Responses:
• Any vendor that cannot meet service requirements
should be removed from consideration
• May discover that no vendor can meet
requirements:
▫ Service is cloud-ready, but cloud is not ready for the
Service
Reassess requirements or maintain services internally
Step 3: Vendor Selection Criteria
Step 3: Vendor Selection
3. Select vendor and devise migration plan:• Some vendors may not respond to RFQ:
▫ Cloud model is pay-as-you-go; vendors may not negotiate
• Once vendor is selected, initiate migration planning, and add to cloud adoption road map
Step 4: Change and Risk Management
RISK ASSESMENT MATRIX
PROBABILITY
IMPACT Low Medium High
High L M H
Medium L M M
Low L L L
RISK
LEVELRISK DESCRIPTION & NECESSARY ACTIONS
HighIf an observation or finding is evaluated as a high
risk, there is a strong need for corrective measures.
Medium
If an observation is rated as medium risk, corrective
actions are needed and a plan must be developed to
incorporate these actions within a reasonable period
of time.
Low
If an observation is described as low risk determine
whether corrective actions are still required or decide
to accept the risk.
Step 4: Change and Risk Management
Risk Risk Level Mitigation
Costs H• Maintain strict budget• Clearly communicate requirements & needs to vendor
Privacy M• Establish authentication & access control procedures• Implement data encryption
Integrity H• Establish incident response program• Implement security & configuration best practices
Compliance L• Perform vulnerability scanning• Audit controls
Availability MEstablish security & disaster recovery processes & procedures
Step 4: Change and Risk Management
Change Management
Phased Approach
Transparency
Leadership
Education
Next Steps
Develop detailed business case, gain OMB and Agency approval
Upon approval, develop detailed transition plan
Measure project execution and monitor SLAs / contract performance
Conclusion
Successful transformation
begins with strategic selection of cloud
deployments
Moving away from ad-hoc selection
ensures alignment with solutions and reduction of risk
The proper portfolio of cloud projects
increases the project success rate
Disciplined and repeatable selection drives rapid cloud
adoption and increased success rates
References• Heiser, Jay, and Mark Nicolett. "Assessing the Security Risks of Cloud Computing."
Www.gartner.com. Gartner, Inc., 3 June 2008. Web. 26 July 2011. <http://my.gartner.com/portal/server.pt?open=512>.
• "HP and Deloitte Alliance - Federal Market Offering Overview." Cloud Computing Forecasting Change. HP and Deloitte, 1 Apr. 2011. Web. 10 July 2011. <https://kx.deloitteresources.com/G1000/lists/PublishedContent/dispform.aspx?id=107489&Source>.
• Jackson, Chris. "Implementing a Decision Framework for Cloud Migration." Cloud Computing in Healthcare. Cloud Computing in Healthcare Conference, 21 June 2011. Web. 1 Aug. 2011. <http://www.iibig.com/conferences/T1101/T1101_images/presentations/ChrisJackson_04.50.pdf>.
• Reeves, Drue. "Building a Solid Cloud Adoption Strategy: Success by Design." Www.gartner.com. Gartner, Inc., 19 May 2010. Web. 01 Aug. 2011. <http://my.gartner.com/portal/server.pt?open=512>.
• Stoneburner, Gary, Alice Goguen, and Alexis Feringa. "Risk Management Guide for Information Technology Systems." NIST: National Institute of Standards and Technology. 1 July 2002. Web. 19 July 2011. <http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf>.
• "Top Threats to Cloud Computing V1.0." Cloud Security Alliance. 1 Mar. 2010. Web. 20 July 2011. <https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf>.